https://github.com/0xthiebaut/mdeproxy
Microsoft Defender for Endpoint Proxy (Device Timeline, ...)
https://github.com/0xthiebaut/mdeproxy
Last synced: 4 months ago
JSON representation
Microsoft Defender for Endpoint Proxy (Device Timeline, ...)
- Host: GitHub
- URL: https://github.com/0xthiebaut/mdeproxy
- Owner: 0xThiebaut
- License: eupl-1.2
- Created: 2024-07-08T09:32:28.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2024-08-20T10:44:16.000Z (9 months ago)
- Last Synced: 2025-01-28T05:41:56.628Z (4 months ago)
- Language: Go
- Homepage:
- Size: 557 KB
- Stars: 3
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
README
# MDE Proxy
MDE Proxy leverages an undocumented proxy at [security.microsoft.com] to access the undocumented
Microsoft Defender for Endpoint APIs (e.g., device timeline).This tool is inspired by [Defender Harvester] which does not rely on the undocumented proxy; However
some organizations prevent direct access to the Security Center API (i.e., conditional access policies) which
hinders incident response. This tool acts as a workaround: If you can access the timeline in a browser,
this tool can extract the data from the timeline API.As a rough estimate, the timeline API produces 1GB of data per appliance per month;
Extraction of the data takes around 20 minutes per device per month.## Getting Started
### Installation
MDE Proxy is written in [Go] and can be installed as follows...
```bash
go install github.com/0xThiebaut/mdeproxy@latest
```### Configuration
MDE Proxy relies on two headers sent through [security.microsoft.com]:
- `Cookie` which holds authentication data
- `X-XSRF-TOKEN` which holds a cross-site request forgery tokenExtracting these header values can be done through the browser's developer tools when inspecting `POST` requests.
![Capture]
### Usage
With the two header values extracted, a device's timeline can be extracted as follows...
```bash
mdeproxy timeline --cookie COOKIE --xsrf XSRF --machine MID --from 2024-04-01T00:00:00Z --to 2024-07-01T00:00:00Z --output timeline.jsonl
```
- `COOKIE` being the cookie header extracted through the browser's developer tools.
- `XSRF` being the cross-site request forgery token extracted through the browser's developer tools.
- `MID` being the hexadecimal machine ID.The `from` and `to` field represents the time-range of timeline data to recover.
This tool handles paging and is hence not subject to the usual 7 or 30 day limit.
By omitting `from` and `to`, the last 6 months of data are exported.[Defender Harvester]: https://github.com/olafhartong/DefenderHarvester
[Go]: https://go.dev/doc/install
[security.microsoft.com]: https://security.microsoft.com[Capture]: docs/images/Tokens.jpg